AUDIE CORNISH, HOST:
Earlier this year, Chinese government hackers stole tens of thousands of emails by slipping into a Microsoft Exchange email server - a breach serious enough for the White House and the FBI to take notice. Dina Temple-Raston of NPR's investigations team reports the attack went far beyond stolen correspondence.
DINA TEMPLE-RASTON, BYLINE: Steven Adair noticed back in January something suspicious in one of his client's servers. Someone appeared to be stealing emails.
STEVEN ADAIR: Kind of like a, you know, my hair is almost raising on my arms. And I think, you know, this feeling of, like, oh, crap, this is not what should be going on.
TEMPLE-RASTON: Adair is the president of a cybersecurity firm called Volexity. And he could see that intruders had actually taken control of the server linked to the Microsoft Exchange program. And whoever it was was asking for access to specific emails and the local Exchange server was just giving it to them - no passwords needed.
ADAIR: The attackers basically figured out how to trick the Exchange server into making requests. The receiving server goes, oh, you're the Exchange server. You're a trusted entity. You're allowed to do this. I mean, basically, it doesn't check that this is a completely unauthentic (ph) request.
TEMPLE-RASTON: Now, at first blush, swiping emails may seem like a small thing. But they actually contain really valuable information that can be combined with other data to provide a great deal of intelligence. And we'll get to that in a minute. Initially, when Steven Adair's team alerted Microsoft, the company wasn't all that worried.
TOM BURT: At the time, it was perceived as a relatively routine report of a couple of vulnerabilities, I think one of which had already been discovered.
TEMPLE-RASTON: Tom Burt is a vice president at Microsoft. And among other things, he manages the digital crime unit there. And his team thought that what Adair and Volexity had uncovered was a simple espionage operation.
BURT: When we saw them using this vulnerability, it was in just a couple of dozen entities worldwide and just a handful in the U.S. And we and the rest of the defender community see this activity happening all the time.
TEMPLE-RASTON: Microsoft has a threat intelligence center that tracks dozens of nation-state hackers, so it didn't take them long to determine that Chinese government hackers known as Hafnium were the ones poking around those Microsoft Exchange servers.
BURT: This is a group that's relatively newer on the scene. We've been tracking them for about a year and a half now.
TEMPLE-RASTON: Hafnium has an M.O. that gave them away. It tends to target government agencies, medical facilities, NGOs, academics and law firms. The Microsoft team also noticed that the hack had a twist. In order to work, it needed a weirdly specific piece of information - the exact email address of the person running the local Exchange server.
BURT: That would be different for every single company and organization around the world. And it's not public information. And so we actually - when we looked at this, we thought, well, how is this happening?
TEMPLE-RASTON: As they were trying to figure that out, they discovered something else. The hackers had found a coding error in the Microsoft Exchange software. And to fix it, Microsoft would need to send customers a piece of code called a patch. And that happens all the time. So that might well have been the end of it, were it not for one thing - the little, tiny hack went viral. Suddenly, the hackers were everywhere.
BURT: All the sudden, we saw hundreds a day. And then that continued to escalate until, I think, we were seeing north of several thousand a day. And so it was a very significant and noisy escalation.
TEMPLE-RASTON: The attackers compromised tens of thousands of servers, and there appeared to be no rhyme or reason to the targets.
(SOUNDBITE OF MONTAGE)
UNIDENTIFIED REPORTER #1: The U.S. and key allies are blaming China for a massive cyberattack against Microsoft last March.
UNIDENTIFIED REPORTER #2: As many as 30,000 entities inside the United States have been impacted by this security flaw in that Microsoft software.
JEN PSAKI: This is an active threat. Everyone running these servers - government, private sector, academia - needs to act now to patch them.
TEMPLE-RASTON: That's Jen Psaki, the White House press secretary.
(SOUNDBITE OF ARCHIVED RECORDING)
PSAKI: We are concerned that there are a large number of victims and are working with our partners to understand the scope of this. So it's...
CHANG KAWAGUCHI: I think this was probably the first time a tool we built was specifically pointed to in a White House press release.
TEMPLE-RASTON: That's Chang Kawaguchi. He heads a team that writes those software patches. And he said that while patching allows people to protect their systems, it also tells criminals around the world what to look for.
KAWAGUCHI: One of the things about going public is that you can't just tell the good guys, right? When we release a patch, the bad guys start reverse engineering it immediately. And so we always know when we're releasing, that that's the starting gun of a race.
TEMPLE-RASTON: It isn't a race between the bad guys and Microsoft. It's a race between the bad guys and local IT departments who have to apply the patch. The White House was so concerned, it convened a task force - in fact, Tom Burt was on it - to figure out ways to explain to people how serious this all was. What the task force didn't say publicly was that it was worried that the email theft was just the beginning.
BURT: The concern was whether ransomware criminals were going to use this vulnerability to attack broad swaths of the economy in the United States or anywhere else around the world.
TEMPLE-RASTON: That's why the FBI stepped in. A judge cleared the way for the bureau to scan the internet, find what the Chinese had planted in the individual Exchange servers and then remove it without informing the victims first. It was a controversial move. Though, Kiersten Todt, the managing director of the Cyber Readiness Institute, said they had little choice.
KIERSTEN TODT: You were seeing schools being affected, state and local governments, underresourced entities that didn't have the resources to respond.
TEMPLE-RASTON: The variety of targets, she believes, wasn't an accident.
TODT: This is very much along the M.O. that they use, which is to gather and aggregate data as much as possible and not discriminating where that data comes from.
TEMPLE-RASTON: Vacuuming up any and all information could end up coming in handy later, as it did in the Exchange hack. Tom Burt thinks the Chinese probably got the specific email addresses they needed from an earlier operation.
BURT: And what we've heard directly is they've accumulated vast quantities of data about American and other enterprises and individuals. And they must have created a massive database that included the actual email of tens of thousands of individuals who are the Exchange server administrators.
TEMPLE-RASTON: But weaponizing information for cyberattacks may be just a short-term goal. Kiersten Todt thinks this is really about China trying to become the world leader in artificial intelligence or AI.
TODT: There is a long-term project underway, and we don't know what they're building. But what we do know is that diversity of data, quantity of data, aggregation, accumulation of data is going to be critical to its success.
TEMPLE-RASTON: To be successful, AI needs information to learn from. The more information it has, the better chance it has of discovering things. China has built-in advantages. It has a billion people it can collect information from. And reportedly, it's been stealing from others to get even more. But there's more at stake here than just crime.
TODT: Artificial intelligence is going to be a model and a mechanism by which insurance rates will be calculated, health care data will be calculated, arguably how we take care of each other, how the banks operate, how we get credit.
TEMPLE-RASTON: Todt says we should ask whether we feel comfortable with China building AI for the rest of us.
TODT: And you can social engineer to the culture. What China is looking at as it builds out its AI is it can social engineer to its priorities, to its mission, to those traits and qualities that are important to that country versus those which may be different represented in other countries.
TEMPLE-RASTON: Countries, for example, like ours. China, for its part, denies any of this is going on. In fact, it said that it has nothing to do with the attack on Microsoft Exchange.
Dina Temple-Raston, NPR News.
(SOUNDBITE OF MUSIC)
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.